Introduction to Tehama

If you read only one page before getting started with Tehama Privileged Service Management, read this one.

First a few key concepts

See Glossary for more but do that later.


This one is simple. Everyone with a login ID is a user. Once you are invited you will be asked to complete your personal profile as one of the first steps.

Organization and Member

Organizations are the main account concept. An organization is generally created by and maps to a single service buyer organization or an IT provider organization. Large enterprises may want to create more than one organization in order to have separate billing but let's not worry about that for now.

Organizations have a set of Members. These are users that have been invited and are trusted by the organization. Each member is given a role of either "Administrator", "Manager" or "Staff". This role designation controls what they can do on behalf of the Organization. A member's role can be changed as circumstances require.

An organization has only one "Administrator" member. The organization administrator has full responsibility and control over the resources utilized by the Organization. The first person from your organization/company to be invited creates both the organization account and a user account and automatically becomes the administrator member for the organization. The administrator can "step down" by selecting a new administrator from the Managers. (The old administrator becomes a manager.)

An organization can have multiple "Managers", invited by the "Administrator". These members can perform all of the actions that an administrator can except those related to billing and payment.

All other members in an organization are "Staff" members, invited by the "Administrator" or one of the "Managers".

An organization owns, controls and/or uses Rooms in Tehama.


A room is the main concept enabling Tehama Privileged Service Management. It enables an organization to easily create a secure and audited virtual private extension of a network in which remote people work. We sometimes call this a whiteroom since it's a good analogy.

A room is connected to a network. More on this later.

A room is a container with a set of tools and services running within it. Examples of this include Desktops, Secrets Vault, File Vault, Applications, ... . The only way the services and tools can discover the resources available, is through the connection the room provides.

An organization can have the following relationships to a room. The first is "owner" which means they've agreed to pay for the room and have control over what services/tools are provisioned into the room. The second is "connected" which means they control which other organizations and which members have access to the room and what assets are accessible through this room. The third is "use" which allows them to request that particular Members from their organization be granted access.

Why this complexity? In short, to separate access control that always belongs to the organization connected to the room, from control over the provisioned services/tools in the room. A typical use case is that it allows the service provider organization to control the infrastructure available in the room by paying for it (being the owner) yet still gives full access control to the connected service buyer organization.

As we mentioned earlier, a room is connected to a network. This connection is established by installing a gateway agent on the network being connected to that works in conjunction with a gateway service (and secrets vault) running in the room. The "connected" organization has to configure both sides of this by first installing the gateway agent somewhere on their infrastructure and then configuring the rules/services using the user interfaces into the room's firewall rules and secrets vault to configure a list of access rules, passwords, secrets, services, ... .

Organization - Members - Room

Now that you understand the key concepts, let's Get Started!